b'                                                 UNITED STATES\n\n                             SECURITIES AND EXCHANGE COMMISSION\n                                          WASHINGTON,     D.C . 20549\n\n\n\n     OFFICE OF                             MEMORANDUM\nINSPECTOR GENERAL\n\n\n                                                  March 10,2014\n\n\n       TO: \t         Jeffery Heslop \n\n                     Chief Operating Officer \n\n\n       FROM: \t       Carl W. Hoecker    /".,!lv/-Jt~\n\n                     Inspector General l1\xc2\xa3/   \n\n       SUBJECT: \t Investigative Memorandum IM-14-001: Employee Exi t Process - Records\n                  Review\n\n       The Office oflnspector General (OIG) recently investigated an employee \' s attempt to remove\n       nonpublic information from the Securities and Exchange Commission (SEC). That employee\n       was terminating their employment with the SEC and had nearly completed the exit process. The\n       Office of Support Operations Office of Records Management Services (ORMS) noted federal\n       records contained within eight boxes that the separating employee was sending to the employee\' s\n       new private sector employer. ORMS took possession of the records and cleared the remaining\n       non-record s for removal from the SEC. The eight boxes were then sent to the employee\' s new\n       private sector employer. The SEC OIG recovered the records in ORMS \' possession, the eight\n       boxes that had been sent, as well as documents recovered from the employee\'s home. The OIG \'s\n       review of th e boxes resulted in sensitive and nonpublic information being found in each of the\n       eight boxes.\n\n       SEC Regulation (SECR) 7-1 , Records and Information Management Program, dated November\n       14, 2012, establishes the SEC\'s policy governing the creation, organization, maintenance, use,\n       and disposition of all SEC records. Section 7.2.4. ofSECR 7-1 authorizes ORMS to implement\n       safeguard s to prevent the unauthorized access, removal, loss, or destruction of SEC records, and\n       to recover records unlawfully removed from the custody of the Commission.\n\n       In accordance with the SEC\'s Employee Exit Portal (EEP), at the time of the incident ORMS\n       was responsible for reviewing and clearing documents that employees plan to take with them\n       when they leave the SEC to ensure that federal records are not removed. The OIG\' s\n       investigation revealed that, other than the separating employee and an employee from ORMS, no\n       other SEC employees reviewed the documents and materials that were to be removed from the\n       SEC. The OIG also noted that the originating SEC divisions and offices would have the relevant\n       knowledge for determining which documents should or should not be taken from the SEC, rather\n       than ORMS employees. We also noted that the SEC\'s EEP did not contain any instructions\n       about the exit procedures for records management and did not require separating employees to\n       certify that they were not removing nonpublic info1mation and that they had returned any\n       docum~nts taken offsite for teleworking or other purposes.\n\x0cSubsequent to the OIG\'s investigation, ORMS published a new directive, Operating Procedure 7\xc2\xad\nle, entitled "Removal of Records and Non-Public Information by Departing SEC Personnel" in\nJanuary 2014. 1 The objective of that directive is to deter the removal of records and nonpublic\ninformation by departing personnel. The directive includes information about the types of\ndocuments that employees cannot keep or remove upon their separation from the SEC. In\naddition, that directive requires employees to complete a records clearance form acknowledging\nthat they have complied with the instructions within the directive and that they have returned and\nsurrendered "documentary material" that employees cannot keep or remove. However, the\ndirective does not provide for a review of documents the employee plans to remove from the\nSEC by the employee\'s office or division.\n\nTo further strengthen the SEC\'s exit procedures and to ensure that nonpublic or sensitive\ninformation is not subject to unauthorized release or disclosure when employees leave the SEC,\nthe OIG is making two recommendations, listed below, to the Office of the Chief Operating\nOfficer (OCOO). Within the next 45 days, please provide the OIG with a written corrective\naction plan (CAP) that addresses these recommendations. The CAP should include information\nsuch as the name of the designated responsible official or point of contact for the\nrecommendations, estimated timeframes for completing required actions, and milestones\nidentifying how the OCOO will address the recommendations.\n\nRecommendation 1\n\nThe Office of the Chief Operating Officer should revise the agency\'s exit procedures and\nrelevant policies for records management to require the divisions or offices of separating\nemployees to review documents that the employees plan to remove from the SEC and determine\nwhich documents separating employees are authorized to take. Further, that determination\nshould be included and clearly documented in the SEC\'s Electronic Exit Program prior to\nemployees separating from the SEC.\n\nRecommendation 2\n\nThe Office of the Chief Operating Officer should advise all employees, through training,\ncorrespondence, and other means, about the revised exit procedures and an employee\'s\nobligation to ensure nonpublic information is not improperly disclosed.\n\ncc: \t      Mary Jo White, Chair\n           Luis A. Aguilar, Commissioner\n           Daniel M. Gallagher, Commissioner\n           KaraM. Stein, Commissioner\n           Michael S. Piwowar, Commissioner\n           Erica Williams, Deputy Chief of Staff, Office of the Chair\n           Barry D. Walters, Director, Office of Support Operations\n           David B. Brown, Archivist, Office of Records Management Services\n           Darlene Pryor, Management and Program Analyst, Office of the Chief Operating\n            Officer\n\n1\n    The directive is dated November 21, 2013, but it was issued to staff on January 9, 2014.\n                                                            2\n\n\x0c'